​Computer virus infected FAA system, agency admits

The Federal Aviation Administration’s computer system was compromised in February, the FAA now admits, after malicious software spread via email across an internal network.

A spokesperson for the
FAA confirmed to NextGov this week that a “known virus”
had been discovered on an “administrative computer
system” earlier this year, but that a subsequent
investigation concluded that the potential impact of the
intrusion was a far cry from catastrophic.

“After a thorough review, the FAA did not identify any damage
to agency systems,” agency spokeswoman Laura Brown told
Nextgov in an article published on Monday.

Nevertheless, the agency’s admission comes merely weeks after a
leading US lawmaker urged the FAA to adopt enhanced protective
measures in the cybersphere amid a wave of recent high-profile
hacks and an unflattering government audit.

“If the Sony hacking was bad, imagine how much worse the
hacking of the FAA computer system could be with thousands of
planes in the air,” Sen. Chuck Schumer (D-New York) warned
during a press conference last month, the New York Post reported. “Sophisticated terrorists could
even steer planes into one another. The threat of a cybercriminal
taking over this system makes your stomach sink.”

Schumer’s call for action came as a response to a Government
Accountability Office probe that identified “significant security
control weaknesses” within the FAA’s air traffic control system.

According to NextGov’s Aliya Sternstein, news of the cyberattack
surfaced in recent days when it was casually mentioned towards
the bottom of an April 2 presolicitation notice published by the FAA on the Federal
Business Opportunities website.

The FAA had planned to award a contract to a Virginia-based
consulting firm that would authorize the company to provide
“Cyber Security Management Center (CSMS) Security Operations
Center (SOC) support services” to the agency, the notice
acknowledged, but a previously unannounced intrusion had put
matters up in the air.

“Due to a recent cyber-attack, the FAA requires additional
planning time to determine the impact to the competitive
procurement requirements,” the notice reads in part.

The GAO’s audit of the FAA’s air traffic control system
released in March acknowledged that the agency had established a
steering committee to provide risk management functions with
regards to cyber, but had “not fully established the governance
structure and practices to ensure that its information security
decisions are aligned with its mission.”

"These include weaknesses in controls intended to prevent,
limit, and detect unauthorized access to computer resources, such
as controls for protecting system boundaries, identifying and
authenticating users, authorizing users to access systems,
encrypting sensitive data and auditing and monitoring activity on
FAA's systems," the report said.

“The excessive interconnectivity between [the National
Airspace System] and non-NAS environments increased the risk that
FAA’s mission-critical air traffic control systems could be
compromised.”

According to Brown, the FAA spokesperson, “the agency
immediately took steps to block and contain the virus and clean
any affected computers” after learning of the recent
compromise, which she said was confined solely to the
administration network.